Hi,
We’re using Nexus Platform Plugin in Jenkins to carry out Android scan vulnerabilities.
I’m looking for how NexusIq will be scanning Android application?
I tried to apply the parameter scanPattern as [*.apk] file, but it is not get scanning.
e.g We’re executing following pipeline script in Jenkins
nexusPolicyEvaluation iqApplication: ‘ApplicationID’, iqStage: ‘build’, iqScanPatterns: [scanPattern: ‘**/*.apk’]
Any thoughts?
nickcook
(Nick Cook )
January 24, 2019, 12:10am
2
Hi,
Check out this post from @fcremer for information about scanning Android with IQ server.
Nexus IQ Server does not support scanning an .apk file directly due to the minification performed via the dalvik byte code process. For this reason, scanning prior to the assembling of the .apk is required.
Check out this article for more information on How Your Android Code Compiles to Deliver .APK Package File .
As an example, in Gradle you could add to your build.gradle a small of amount of additional code that essentially would perform 2 main actions during the build:
Execute the copyCom…
Thanks for the workaround. It works.
We are able to scan the Android vulnerabilities
Any thoughts, if it available with Nexus Platform Plugin itself?
anoop.nair
(Anoop Nair)
November 10, 2022, 4:59pm
4
Recently I had the requirement to perform IQ scan on an android package and the above instructions do not work with the latest version of Android. This is confirmed by the Sonatype support team as well. I’ll walk you through the steps that worked for me:
Environment
Dependency and build tool: Gradle
Build pipeline: Gitlab CI
Android SDK version: 29
Design
Generate an SBOM from the apk file
Upload SBOM to Sonatype lifecycle to get reporting into the platform
Validate violation response to use as a build action
Steps
Add the following to build.gradle.
cyclonedx 1.7.x did not work for me.
plugins {
id 'org.cyclonedx.bom' version '1.6.1'
}
cyclonedxBom {
skipConfigs += [
"debugCompileClasspath",
"debugAndroidTestCompileClasspath",
"debugUnitTestCompileClasspath",
"releaseUnitTestCompileClasspath",
"debugUnitTestRuntimeClasspath",
"releaseUnitTestRuntimeClasspath"
]
destination = file("app/build/reports")
}
Add the following to gitlab-ci.yml file to generate a SBOM file
iq-sbom:
stage: build
# Packages installation before running script
before_script:
- chmod +x ./gradlew
script:
- ./gradlew cyclonedxBom
artifacts:
paths:
- app/build/reports/bom.xml
In gitlab-ci.yml,
Upload SBOM using Sonatype Rest API to the Sonatype platform
Wait for few seconds
Validate response
Fail build if there is a policy violation
Replace IQ_URL and APP_ID
iq-scan:
stage: security-scan
variables:
APPLICATION_INTERNAL_ID: 'APP_ID'
IQ_URL: 'https://IQ_URL/api/v2/scan/applications/$APPLICATION_INTERNAL_ID/sources/cyclone'
SCAN_CURL_COMMAND: "curl -k -X POST -H 'Content-Type: application/xml' -u ${iq_user}:${iq_pass} -d @app/build/reports/bom.xml $IQ_URL"
script:
- |
apt-get update && apt-get install jq -y
STATUS_URL=$(eval "$SCAN_CURL_COMMAND" | grep statusUrl | cut -d ":" -f2 | cut -d "}" -f1 | cut -d '"' -f2)
sleep 30
CHECK_STATUS_OUTPUT=$(curl -k -X GET -H 'Content-Type: application/json' -u ${iq_user}:${iq_pass} "https://IQ_URL/$STATUS_URL")
SCAN_RESULT=$(echo $CHECK_STATUS_OUTPUT | jq -r '.policyAction')
REPORT_URI=$(echo $CHECK_STATUS_OUTPUT | jq -r '.reportHtmlUrl')
echo "Report: https://IQ_URL/$REPORT_URI"
if [ "$SCAN_RESULT" = "Failure" ]; then
echo "Scan result: $SCAN_RESULT"
exit 1
fi
1 Like